Securing the Smart City

With the Internet of Things making smart city projects an everyday reality, Stephen Pritchard explores what steps are being taken to tackle the security and privacy issues that so often surround them

"In a smart city, everyone knows your name." This is how Gareth Jones, partner at law firm Bond Dickinson, describes the privacy issues around smart city projects.

Jones' warning was issued to a recent conference on smart cities organized in London by the Westminster eForum, where he explored how security and privacy are emerging as two hidden challenges of smart city projects.

As urban populations grow, public authorities are looking for new ways to deal with congestion, pollution and crime. Applying Internet of Things (IoT) technologies, sensors, and low-power, wide area (LPWA) networks gives administrators a much more detailed and up-to-date picture of what is happening in the city.

"IoT can address problems including parking and traffic, clean water, air pollution and landfill waste," says Tony Judd, managing director for UKI & Nordics at Verizon. "We'll see a massive flow of information from IoT devices."

Increasingly, these data flows are at the heart of urban planning, but connecting city systems brings risks.

"Cybersecurity is a major challenge," warns Cesar Cerrudo, board member of the Securing Smart Cities industry group and CTO of IOActive Labs. "Cities around the world are deploying technology without making sure it’s secure. We haven’t seen important attacks yet… but it’s just a matter of time until attackers target cities."

"Smart infrastructure requires cybersecurity," agrees Dan Byles, vice-president at Living PlanIT and chair of industry group SmartUK. "The idea that older infrastructure is not vulnerable to cyber-attack is a fallacy. Being smarter is fundamentally part of making the infrastructure more secure."

A Matter of Scale

Smart city technology has to communicate across networks and the public internet, and operate at a massive scale.

"You need to think of how to manage these [networks] at a scale with hundred or a thousand-times more devices than the average enterprises run," says Alex Bazin, vice-president and head of Internet of Things at IT vendor Fujitsu. "You could have tens of millions of users and hundreds of millions of devices, and they need to be maintained, managed, and serviced."

As Bazin warns, older hardware might not have been designed with security in mind, and offers no easy way to apply patches or updates. Updates might even need engineers to visit each device to apply a patch using a laptop.

"There may not be a connection to a fixed network, and LPWA networks don't have a lot of bandwidth. A traditional patch management approach would be a challenge," says Bazin.

Connecting together systems that are designed to operate in discrete silos, isolated from public networks, creates further risks.

"When you put systems together, the attack surface is larger," cautions Aidan Jarvis, cybersecurity expert at PA Consulting. "Smart cities bring together operational technology and use data to make the city more efficient or to make services better, but by bringing it together you have more for the bad guys to misuse or abuse." API security, and the interfaces between systems, are areas hackers are most likely to exploit, he adds.

However, the real risk in smart city projects lies less in the potential to disrupt operational systems, and more in exploiting sensitive and often personal data.

Deanonymizing Data

"Someone could turn traffic lights on or off, but there is not much value in stopping a car in the middle of the road," says Jarvis. "I could make that point by going onto a bridge and dumping horse manure."

However, cities could store up problems by collecting and holding data, if they combine and analyze data sets that were originally meant to be separate. It could, for example, lead to individuals being identified from data that administrators thought was anonymized.

CISOs must be sure they have full correct consent for any information gathered from the public.

"If you can link CCTV with other data sets that identify people as individuals, you are dealing with personal data, and that can be very dangerous territory," says Bond Dickinson's Jones.

"It's important that we map data flows, identify who has touch points with the data, who the controller and processor is, and ensure compliant agreements are in place."

PlanIT's Byles agrees: "Don't collect more data than necessary, and don't aggregate data unnecessarily, that will reduce the attack surface. Most data should be used close to where it’s gathered."

For smart city projects to succeed in improving our quality of life, they have to be ambitious, and often, bold. But ignoring data security and privacy is not an option. Overcoming technical security challenges is the only way city leaders can ensure the future of urban areas is both efficient, and safe.

Case Study: San Diego

The city of San Diego is one of the fastest-growing in the US; the San Diego county area reached 3.3 million people earlier this year.

For urban San Diegans, this presents a suite of familiar problems: congestion, air quality, demand for water, energy and housing. However, as the city is home to some of the key names in technology – from Qualcomm to the US Navy's United States Navy Space and Naval Warfare Systems Command – there are also local solutions.

Projects underway in San Diego include a $30m upgrade to install smart street lights, and fitting HD cameras to traffic signals, supported by a fiber data network.

Cities are increasingly aware of the security issues surrounding these technologies, says David Graham, deputy COO for Neighboring Services at San Diego. "The roadmap for infrastructure depends on having security, and interoperability," he says.

San Diego started its journey with a risk assessment of all its smart city projects, and now uses the NIST Cyber Security Framework (CSF) for security controls.

"The issue from a cyber-perspective is city networks have a disparate mix of technologies," says Gary Hayslip, CISO for the City of San Diego. "We have had to understand not only how to implement and install these new smart technologies, but how to update them, and what they look like when you do security scans.”

"Many of our concerns with these technologies have been that they are so new that from a risk perspective you are not sure of the impact if they are compromised."

To bolster security, the city hired Hayslip as CISO and built both cyber operations and cyber engineering teams. The city is working on PCI DSS certification and is building a security operations center (SOC). The city also has clear policies for buying smart city technology.

"When talking to vendors or partners, I am looking for what regulatory regimes they follow," Hayslip explains. "We are now asking as part of contracts that we see the results of [vendors'] regulatory assessments. We require all vendors and partners who access city networks or use city data to notify the city CISO if there is a security incident. Failure to do so would result in breach and possible legal ramifications."

Our number one concern is protecting citizens' data, adds Graham. "The public understands we need to provide services, but we have to respect privacy, and preserve public trust."

Case Study: Milton Keynes

Milton Keynes is a ‘new town’ some 55 miles to the North West of London. It is home to around 230,000 people as well as the Open University, the UK's largest base for distance learning.

Unusually for a British city, Milton Keynes is built on a street grid system. That, combined with the Open University's large academic presence, and its location equidistant from London, Birmingham, Oxford and Cambridge, means it is an ideal test bed for the city's MK:Smart initiative.

MK:Smart is very much based around data sharing via the MK Data Hub. One example is Cloud Enabled Mobility (CEM), which brings public transport information together in one smartphone app. Another is the city's use of Data Hub to collect information on electric car usage and to help local people find the best place to site solar panels.

MK:Smart board member Geoff Snelson describes the project as a "city scale data hub", with 700 data sets. Its design allows data to have individual policies and terms and conditions, so some sets are available freely, but others can be used commercially.

"The MK:Smart project is designed to enable data aggregation from multiple sources, so enabling the development of new applications and service efficiencies to benefit local enterprises and citizens," explains Snelson.

"Our engagement with local citizens has shown they understand the potential benefits of data sharing for themselves and their communities and are prepared to share under certain conditions." These include ensuring that citizens' data are used only for specific purposes and that citizens also keep some degree of control.

"Public confidence in security and privacy is a pre-requisite if we are to realize fully the opportunity of big data," notes Snelson.

Box-out: Case Study: Bristol

Bristol's history as a trading post and port has made it open to new ideas. Today the city is a technology hub, with HP's largest lab outside the US, one of the UK's leading robotics labs at the University of Western England, and a strong history in communications technologies.

This, says Rick Chapman, specialist adviser to Invest Bristol and Bath, is one reason why the city is at the forefront of smart technology. A strong security culture – developed through years of experience in fields such as telecoms and defense – makes Bristol a trusted location for new projects.

The ‘Bristol is Open’ project effectively turns the city into a living lab for emerging technologies. The organization describes itself as an "open programmable city", based around both fiber and a city-wide mesh network. Data privacy is high on the list of the project's priorities and data is anonymized before being shared through the open data portal.

Strict privacy and security are essential if commercial partners are to contribute to the project, says Chapman. "If we want to reduce congestion by directing drivers to car parks with empty spaces, we can monitor cars coming down the M32 motorway via cell towers, but that means we are extending our trust to the mobile operators, and they have to make sure all data are anonymized."

Case Study: Singapore

As a city state, Singapore's smart city security and national security, are closely linked. In fact, Singapore calls its work its Smart Nation initiative.

"Smart Nation is a whole-of nation effort to support better living, create more opportunities, and support stronger communities by harnessing technology, networks and data," says Jacqueline Poh, chief executive

GovTech (Government Technology Agency).

The Smart Nation Program Office in the Singapore prime minister's office acts as coordinator. Projects span housing, mobility and transport, and the digital economy, with the new Government Technology Agency (GovTech), responsible for building infrastructure and technological capabilities to support Smart Nation initiatives.

For security, the Cyber Security Agency of Singapore (CSA) is also closely involved in Smart Nation work. Its role includes guidelines-based architecture and pilot cybersecurity solutions for smart city platforms.

"Cybersecurity is a key enabler in our Smart Nation initiatives," says Ms Poh. "In a world where cyber-attacks are increasing in frequency, scale and sophistication, we need to take data protection seriously.

"The government is constantly reviewing its security protocols in response to the changing threat environment. Like most governments, we are constantly being challenged and there is a need to build up our capability in terms of hardware and software. To guide public servants and prospective IT vendors, we are constantly updating our security and usage policies."

In Singapore, data protection by the private sector is managed through the Personal Data Protection Act (PDPA) and for government through internal regulations. "We are constantly reviewing our approaches to data protection as the space is always evolving," says Ms Poh.

"One principle that we have used is that when providing services, we want citizens to ‘opt-in’ as far as possible, such as in the recently launched MyInfo portal. MyInfo is a consent-based platform that allows citizens who choose to use this feature to provide their personal data to the government one-off instead of doing it repeatedly for every electronic transaction.

We are fortunate that in Singapore, citizen trust is high. But we must not take it for granted."